Impersonation problems

  • Thread starter Thread starter Chris
  • Start date Start date
C

Chris

I have the following debugging system:
- WinXP Pro
- IIS 5.1 with Anonymous Access disabled and Windows Auth enabled
- Both my computer and the user I am logged on as are members of the AD
and Domain.
- IIS is running on the default setup account.

My production system:
- Windows 2003 Std
- IIS 6.0 with anonymous access disabled and Windows Auth enabled
- The computer is a member of the AD but is not logged on as a user
(since it is a server).
- IIS is running on the default setup account.

I have a project that uses a custom-built component "ADTool" that gets
names and such from the Active Directory. In certain situations, this
tool doesn't work, claiming that "The specified domain either does not
exist or could not be connected".

If Impersonation is enabled, it works on the the debugging system, but
not on the production system. And vica-versa.

This is really killing me (slow and painful) so I'd appreciate any help.

Regards
Chris
 
Hi Chris,

As I understand, you have an ASP.NET appliaction which calls a third pary
components "ADtool". If you use the default ASP.NET account, the tool will
generate an error. If use impersonation on your debug computer, it will
work. But this work around didn't work on your product server (windows
server 2003).

First you may check if you impersonate same windows account on the two
computer, and if the account has same permission on the two computer. For
example, if the account has administrator permission on your debug
computer, did he has same permission on the product server?

You also may try a windows application with same code to call "ADtool". To
see if the tool can be executed on the server.

For more information on asp.net impersonate, you may refer to:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default.aspx?scid=kb;EN-US;306158

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Hi Chris,

Have you tried my suggestions and what the result is? If you need further
assistance on this issue, please post in this group and I will follow up
with you.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
The ADTool works in console applications.

I would like the tool to work without impersonation. Impersonation works
in both cases if I run the pages that use ADTool, probably since I'm in
the Administrators group on each machine.

The ASPNET account on my debugging machine runs as machineName/ASPNET
but runs as NT AUTHORITY\NETWORK SERVICE on my windows 2003 production
server. This is obviously the problem, but why is win2k3 running as that
user?

Regards
Chris

(e-mail address removed) (MSFT) wrote in
 
Hi Chris,

NT AUTHORITY\NETWORK SERVICE is the default account used by Windows server
2003 for asp.net application. It has less permission and is suitable for
simple web application. If a Web application need more permission, we can
use "System" account instead. I think the problem is related the permission
of "NT AUTHORITY\NETWORK SERVICE". It may not same as ASPNET's permission
on WIn XP. You may try the System account on the Windows Server 2003 to see
if it will make difference.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Hi Chris,

Did you have any further questions on this?

Beside using NT AUTHORITY\NETWORK SERVICE, you also can create your custom
account and grant it proper permission to avoid security considerations
with NT AUTHORITY\NETWORK SERVICE. For more information on this, you may
refer to:

HOW TO: Configure NTFS File Permissions for Security of ASP.NET Applications
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q815153

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top